FR version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
73% Positive
Analyzed from 915 words in the discussion.
Trending Topics
#ssh#honeypot#https#public#traffic#source#sessions#interesting#ips#credentials

Discussion (31 Comments)Read Original on HackerNews
He's most likely just not very smart.
I'm currently fighting this battle.
As of this morning:
I maintain several web servers and kept seeing a constant stream of SSH login attempts. At some point I became curious: what do these bots actually try to do after they get in?
I set up a Cowrie SSH honeypot and built a small live dashboard around its JSON logs. Cowrie listens on port 22, a Python service follows the log and streams events over WebSockets, and Nginx serves the frontend. The whole thing currently runs on a 1 vCPU / 1 GB Debian VPS.
The dashboard groups activity by source IP, with individual SSH sessions nested underneath. It shows authentication attempts, commands, SSH client fingerprints, file writes and downloads, and tunneling requests in real time.
Initially I thought the interesting part would be simply watching commands appear. After looking at the collected data, I realized that recurring behavior is much more interesting than individual events.
In one roughly 8-hour sample, the honeypot recorded about 1,950 sessions from 213 source IPs. 327 sessions reached command execution.
Some recurring patterns included:
- the same SSH public key being installed 152 times from 11 source IPs - a system fingerprinting script that appears designed to distinguish a real shell from a honeypot - a downloader requesting payloads for several CPU architectures - attempts to use SSH forwarding as a proxy - distributed credential probes that connect, test one value, and immediately disconnect
This also showed me that grouping activity only by IP isn't enough. Several apparently different sources can use the same SSH client fingerprint, command sequence, public key, or downloaded artifact and probably belong to the same automated campaign.
At the moment this is primarily a live log viewer. Some directions I am considering are:
- automatic classification of sessions as scanning, credential probing, reconnaissance, persistence, downloading, or tunneling - clustering activity into campaigns using HASSH fingerprints, command sequences, SSH keys, and artifact hashes - historical statistics and searchable sessions - support for multiple distributed honeypot sensors - publishing the collector and dashboard code
The public stream currently includes source IPs, attempted credentials, and commands. I added a notice explaining that an IP may belong to a compromised machine, proxy, VPN, or scanner, but I am still thinking through the privacy and responsible-disclosure tradeoffs.
Cowrie's "login.success" events only mean that the honeypot accepted the credentials; they don't mean those credentials would work on a real server.
I'm trying to decide whether this should remain a simple live visualization or grow into a small analysis tool.
Which direction would make this project most useful or interesting to you? Are there other patterns or types of analysis that would be worth adding?
Bad actors might use the data you're publishing to fingerprint specific exploits to which the machines are vulnerable, multiplying the problem.
If producing an IP blacklist is one of your aims, divorcing it from any specific traffic would be more responsible.
You may also want to consider the risk traffic from compromised machines could leak PII (eg. say a script tried to use you as a relay to exfiltrate data) - and the ethical and legal consequences. A filter for SIN, credit cards, etc. would be a basic table-stakes mitigation step.
Hard for me to find much sympathy for negligent users who unintentionally allowed their home computers or phones to join a malicious botnet, or their ISPs who aren't stopping the activity. Even if it is my own grandma's PC.
I agree about the content though, there probably are a lot of actually innocent victims' personal information in the traffic itself.
it might be interesting to have an eye on this while you are talking to the phone scammer.
The aggregations of popular logins and IP locations seem interesting.
Try fingerprinting the behaviour in the sessions. Over time you should be able to distinguish between various automated tools and live people.